[Pkg-shadow-commits] r704 - trunk/debian/patches

Wed Dec 14 22:13:48 UTC 2005

Author: nekral-guest
Date: 2005-12-14 22:13:48 +0000 (Wed, 14 Dec 2005)
New Revision: 704

Added:
   trunk/debian/patches/469_non-su-options
   trunk/debian/patches/470_su.1_document_options
   trunk/debian/patches/471_su_simplify_option_preserve_environment
   trunk/debian/patches/472_su_exported_variables
   trunk/debian/patches/473_su_fix_comments
   trunk/debian/patches/474_useradd_fix_comments
   trunk/debian/patches/475_su_use_amroot_instead_of_getuid
Modified:
   trunk/debian/patches/series
Log:
Add patches sent to the mailing list


Added: trunk/debian/patches/469_non-su-options
===================================================================

--- trunk/debian/patches/469_non-su-options	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/469_non-su-options	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,37 @@
+Index: shadow-4.0.14/src/su.c
+===================================================================
+--- shadow-4.0.14.orig/src/su.c	2005-12-14 21:36:58.000000000 +0100
++++ shadow-4.0.14/src/su.c	2005-12-14 21:47:18.000000000 +0100
+@@ -358,9 +358,19 @@
+ 		};
+ 
+ 		while ((c =
+-			getopt_long (argc, argv, "hlmps:", long_options,
++			getopt_long (argc, argv, "-hlmps:", long_options,
+ 				     &option_index)) != -1) {
+ 			switch (c) {
++			case 1:
++				/* this is not an su option */
++				/* The next arguments are either '-', the
++				 * target name, or arguments to be passed
++				 * to the shell.
++				 */
++				/* rewind the (not yet handled) option */
++				optind--;
++				goto end_su_options;
++				break; /* NOT REACHED */
+ 			case 'h':
+ 				usage ();
+ 				break;
+@@ -375,9 +385,10 @@
+ 				shellstr = optarg;
+ 				break;
+ 			default:
+-				usage ();
++				usage (); /* NOT REACHED */
+ 			}
+ 		}
++end_su_options:
+ 		if (optind < argc && !strcmp (argv[optind], "-")) {
+ 			fakelogin = 1;
+ 			optind++;

Added: trunk/debian/patches/470_su.1_document_options
===================================================================
--- trunk/debian/patches/470_su.1_document_options	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/470_su.1_document_options	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,125 @@
+Index: shadow-4.0.14/man/su.1.xml
+===================================================================
+--- shadow-4.0.14.orig/man/su.1.xml	2005-12-14 22:18:39.000000000 +0100
++++ shadow-4.0.14/man/su.1.xml	2005-12-14 22:19:59.000000000 +0100
+@@ -15,6 +15,9 @@
+   <refsynopsisdiv id='synopsis'>
+     <cmdsynopsis>
+       <command>su</command>
++      <arg choice='opt'>
++	<replaceable>options</replaceable>
++      </arg>
+       <arg choice='opt'>- </arg>
+       <arg choice='opt'>
+ 	<arg choice='plain'>
+@@ -46,6 +49,11 @@
+       for the target user.
+     </para>
+ 
++    <para>
++      You can use the <option>--</option> argument to separate
++      <command>su</command> options from the arguments supplied to the shell.
++    </para>
++
+     <para>The user will be prompted for a password, if appropriate. Invalid
+       passwords will produce an error message. All attempts, both valid and
+       invalid, are logged to detect abuses of the system.
+@@ -68,6 +76,86 @@
+     </para>
+   </refsect1>
+ 
++  <refsect1 id='options'>
++    <title>OPTIONS</title>
++    <para>The options which apply to the <command>su</command> command are:
++    </para>
++    <variablelist remap='IP'>
++      <varlistentry>
++	<term>
++	  <option>-</option>, <option>-l</option>, <option>--login</option>
++	</term>
++	<listitem>
++	  <para>
++	    Provide an environment similar to what the user would expect had
++	    the user logged in directly.
++	  </para>
++	  <para>
++	    When <option>-</option> is used, it must be specified as the last
++	    <command>su</command> option.
++	    The other forms (<option>-l</option> and <option>--login</option>)
++	    do not have this restriction.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-s</option>, <option>--shell</option>
++	</term>
++	<listitem>
++	  <para>The shell that will be invoked.</para>
++	  <para>
++	    The invoked shell is choosen among (higest priority first):
++	    <itemizedlist>
++	      <listitem>
++		<para>The shell specified with --shell</para>
++	      </listitem>
++	      <listitem>
++		<para>
++		  If <option>--preserve-environment</option> is used, the
++		  shell specified by the <envar>SHELL</envar> environment
++		  variable.
++		</para>
++	      </listitem>
++	      <listitem>
++		<para>
++		  The shell indicated in the /etc/passwd entry for the target
++		  user.
++		</para>
++	      </listitem>
++	      <listitem>
++		<para>
++		  /bin/sh if a shell could not be found by any above method.
++		</para>
++	      </listitem>
++	    </itemizedlist>
++	  </para>
++	  <para>
++	    If the target user has a restricted shell (i.e. the shell field of
++	    this user's entry in <filename>/etc/passwd</filename> is not
++	    specified in <filename>/etc/shell</filename>), then the
++	    <option>--shell</option> option or the <envar>SHELL</envar>
++	    environment variable won't be taken into account unless
++	    <command>su</command> is called by the root.
++	  </para>
++	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-m</option>, <option>-p</option>,
++	  <option>--preserve-environment</option>
++	</term>
++	<listitem>
++	  <para>Preserve the current environment.</para>
++	  <para>
++	    If the target user has a restricted shell, this option has no
++	    effect (unless <command>su</command> is called by root).
++	  </para>
++	</listitem>
++      </varlistentry>
++    </variablelist>
++  </refsect1>
++
+   <refsect1 id='caveats'>
+     <title>CAVEATS</title>
+     <para>
+@@ -104,10 +192,7 @@
+       </citerefentry>,
+       <citerefentry>
+ 	<refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum>
+-      </citerefentry>,
+-      <citerefentry>
+-	<refentrytitle>suauth</refentrytitle><manvolnum>5</manvolnum>
+-      </citerefentry>.
++      </citerefentry>
+     </para>
+   </refsect1>
+ </refentry>

Added: trunk/debian/patches/471_su_simplify_option_preserve_environment
===================================================================
--- trunk/debian/patches/471_su_simplify_option_preserve_environment	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/471_su_simplify_option_preserve_environment	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,54 @@
+Index: shadow-4.0.14/src/su.c
+===================================================================
+--- shadow-4.0.14.orig/src/su.c	2005-12-14 22:18:39.000000000 +0100
++++ shadow-4.0.14/src/su.c	2005-12-14 22:25:39.000000000 +0100
+@@ -379,6 +379,10 @@
+ 				break;
+ 			case 'm':
+ 			case 'p':
++				/* This will only have an effect if the target
++				 * user do not have a restricted shell, or if
++				 * su is called by root.
++				 */
+ 				change_environment = 0;
+ 				break;
+ 			case 's':
+@@ -510,14 +514,18 @@
+ #endif				/* !USE_PAM */
+ 	pwent = *pw;
+ 
++	/* If su is not called by root, and the target user has a restricted
++	 * shell, the environment must be changed.
++	 */
++	change_environment |= (restricted_shell(pwent.pw_shell) && !amroot);
++
+ 	/*
+ 	 * If a new login is being set up, the old environment will be
+ 	 * ignored and a new one created later on.
+ 	 * (note: in the case of a subsystem, the shell will be restricted,
+ 	 *        and this won't be executed on the first pass)
+ 	 */
+-	if (fakelogin &&
+-	    (change_environment || restricted_shell (pwent.pw_shell))) {
++	if (fakelogin && change_environment) {
+ 		/*
+ 		 * The terminal type will be left alone if it is present in
+ 		 * the environment already.
+@@ -785,7 +793,7 @@
+ 		exit (1);
+ 	}
+ 
+-	if (change_environment || restricted_shell (pwent.pw_shell)) {
++	if (change_environment) {
+ 		/* we need to setup the environment *after* pam_open_session(),
+ 		 * else the UID is changed before stuff like pam_xauth could
+ 		 * run, and we cannot access /etc/shadow and co
+@@ -817,7 +825,7 @@
+ 		exit (1);
+ #endif				/* !USE_PAM */
+ 
+-	if (change_environment || restricted_shell (pwent.pw_shell)) {
++	if (change_environment) {
+ 		if (fakelogin)
+ 			setup_env (&pwent);
+ 		else {

Added: trunk/debian/patches/472_su_exported_variables
===================================================================
--- trunk/debian/patches/472_su_exported_variables	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/472_su_exported_variables	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,20 @@
+Index: shadow-4.0.14/src/su.c
+===================================================================
+--- shadow-4.0.14.orig/src/su.c	2005-12-14 22:25:39.000000000 +0100
++++ shadow-4.0.14/src/su.c	2005-12-14 22:46:42.000000000 +0100
+@@ -826,11 +826,13 @@
+ #endif				/* !USE_PAM */
+ 
+ 	if (change_environment) {
+-		if (fakelogin)
++		if (fakelogin) {
++			pwent.pw_shell = shellstr;
+ 			setup_env (&pwent);
+-		else {
++		} else {
+ 			addenv ("HOME", pwent.pw_dir);
+ 			addenv ("USER", pwent.pw_name);
++			addenv ("LOGNAME", pwent.pw_name);
+ 			addenv ("SHELL", shellstr);
+ 		}
+ 	}

Added: trunk/debian/patches/473_su_fix_comments
===================================================================
--- trunk/debian/patches/473_su_fix_comments	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/473_su_fix_comments	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,23 @@
+Index: shadow-4.0.14/src/su.c
+===================================================================
+--- shadow-4.0.14.orig/src/su.c	2005-12-14 22:27:12.000000000 +0100
++++ shadow-4.0.14/src/su.c	2005-12-14 22:31:30.000000000 +0100
+@@ -289,9 +289,6 @@
+  *	su changes the user's ids to the values for the specified user.  if
+  *	no new user name is specified, "root" is used by default.
+  *
+- *	The only valid option is a "-" character, which is interpreted as
+- *	requiring a new login session to be simulated.
+- *
+  *	Any additional arguments are passed to the user's shell. In
+  *	particular, the argument "-c" will cause the next argument to be
+  *	interpreted as a command by the common shell programs.
+@@ -868,7 +865,7 @@
+ 		/* Position argv to the remaining arguments */
+ 		argv += optind;
+ 		/*
+-		 * Use new user's shell from /etc/passwd and create an argv
++		 * Use the shell and create an argv
+ 		 * with the rest of the command line included.
+ 		 */
+ 		argv[-1] = shellstr;

Added: trunk/debian/patches/474_useradd_fix_comments
===================================================================
--- trunk/debian/patches/474_useradd_fix_comments	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/474_useradd_fix_comments	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,16 @@
+Index: shadow-4.0.14/src/useradd.c
+===================================================================
+--- shadow-4.0.14.orig/src/useradd.c	2005-12-14 21:05:25.000000000 +0100
++++ shadow-4.0.14/src/useradd.c	2005-12-14 22:32:33.000000000 +0100
+@@ -1402,9 +1402,9 @@
+ 
+ 
+ /*
+- * grp_update - add new group file entries
++ * grp_add - add new group file entries
+  *
+- *      grp_update() writes the new records to the group files.
++ *      grp_add() writes the new records to the group files.
+  */
+ 
+ static void grp_add (void)

Added: trunk/debian/patches/475_su_use_amroot_instead_of_getuid
===================================================================
--- trunk/debian/patches/475_su_use_amroot_instead_of_getuid	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/475_su_use_amroot_instead_of_getuid	2005-12-14 22:13:48 UTC (rev 704)
@@ -0,0 +1,13 @@
+Index: shadow-4.0.14/src/su.c
+===================================================================
+--- shadow-4.0.14.orig/src/su.c	2005-12-14 22:31:30.000000000 +0100
++++ shadow-4.0.14/src/su.c	2005-12-14 22:34:06.000000000 +0100
+@@ -608,7 +608,7 @@
+ 	/* For users with non null UID, if this user has a restricted
+ 	 * shell, the shell must be the one specified in /etc/passwd
+ 	 */
+-	if (shellstr != NULL && getuid () && restricted_shell (pwent.pw_shell))
++	if (shellstr != NULL && !amroot && restricted_shell (pwent.pw_shell))
+ 		shellstr = NULL;
+ 	/* If the shell is not set at this time, use the shell specified
+ 	 * in /etc/passwd.

Modified: trunk/debian/patches/series
===================================================================
--- trunk/debian/patches/series	2005-12-14 22:10:48 UTC (rev 703)
+++ trunk/debian/patches/series	2005-12-14 22:13:48 UTC (rev 704)
@@ -53,6 +53,13 @@
 366_fflush-prompt
 468_duplicate_passwd_struct_before_usage
 502_fix_generated_man_pages
+469_non-su-options
+470_su.1_document_options
+471_su_simplify_option_preserve_environment
+472_su_exported_variables
+473_su_fix_comments
+474_useradd_fix_comments
+475_su_use_amroot_instead_of_getuid
 # 999-2 is about using cdbs. It does not patch upstream files
 # so shouldn't be here, but we keep it for the future
 # 999-2_build_using_cdbs


